This article is part two of a four-part series on cyberinsurance. Part one addressed the need forcyberinsurance. Part two discusses how to assess your company’s cyber exposure and select the right coverage.
As the saying goes, there are two types of companies: those who have been breached and those who have been breached and don’t know it yet. When your company is faced with a cyber-related liability, your position will be greatly improved if you have properly assessed your company’s risk and placed the appropriate coverage. Placing coverage appropriately is a three step process: first, assessing your company’s risk appetite and insurance strategy; second, assessing your company’s cyber risk, and third, placing coverage with the appropriate insurance carrier.
Risk appetite and insurance strategy
Before you can assess your cyber exposure and build the proper cyber-coverage tower, you need to consider your organization’s risk appetite and the availability of cash reserves to respond to a cyber-related loss. This process should be part of and consistent with your organization’s overall risk-management plan. If your company has traditionally been comfortable with carrying a certain level of risk, accepting a higher deductible or self-insured retention can create opportunities for higher coverage limits and reduce the premium rate. If your company has traditionally sought first dollar coverage from insurers with a minimal deductible, your available limits may be reduced and premiums will be higher. If your company is on the smaller end of the scale, cyber coverage as an add-on to your existing coverage may be available and preferable.
The answers to these questions will be determined by the size of your company, traditionally available cash reserves, and your company’s approach to risk management and insurance. Larger companies may be comfortable self-insuring for the first layer of coverage and purchasing excess coverage on top of that layer. Smaller companies may prefer a low deductible/lower-limit option with follow-form excess or umbrella coverage for cyber risks.
Cyber risk assessment
Once you have determined the type of coverage you intend to seek, you need to accurately assess your company’s potential cyber exposure and compare your exposures to the coverage available in the insurance marketplace. To accurately assess your cyber risk, you need to complete a cyber-security audit. This audit should include, at a minimum:
- an assessment of your cyber security program;
- an evaluation of your data-breach response plan;
- a review of your third-party vendors and suppliers’ security exposures and access to your network and data;
- a review of privacy protocols and records databases (including assessing the information are you collecting and storing, why you are collecting and storing it);
- an assessment of cyber risks your company has assumed in contracts with others;
- an assessment of known threats (e.g. Distributed Denial of Service attacks, ransomware, phishing attempts including “spear-phishing," and software vulnerabilities);
- a review of employee training programs to minimize the impact of social engineering, and
- an assessment of potential follow-on effects of a cyber incident: bodily injury or property damage due to disruption of operational technology (as opposed to information technology); supply chain disruption; loss of intellectual property, and damage to reputation.
This process should involve all necessary stakeholders (for example, representatives from your company’s risk management, security, privacy, information technology, operations, and business groups). As with any good audit, this process should be redundant and thorough. The key here is not to solve problems, but rather to identify the problems that need to be solved, the risks that need to be minimized, and the exposures that will continue to persist. There is no risk that can be completely eliminated, but identifying and quantifying persistent risks can help your company prepare.
Finally, while many companies work with third-parties for IT and security solutions, it is not enough to rely on their expertise to protect you. Consider requiring additional insured status on your vendor’s insurance policies as part of your standard engagement contract for vendors (along with indemnity provisions). As part of this process, you need to verify that the coverage for which you negotiated is actually being provided by reviewing the actual insurance policy to confirm limits, deductibles, and policy language. Relying on a certificate of insurance (COI) is not sufficient because most certificates of insurance contain express disclaimers that the policy controls coverage and the COI will not confer coverage that is not provided by the policy. If you can, get a copy of the vendor’s entire insurance policy, with all endorsements, to verify you are getting the protection you negotiated.
Once you have a complete picture of the potential risks, vulnerabilities, and liabilities, you can compare your exposure to the types of coverage available in the market place. You should also review your current insurance portfolio to make certain that a combination of limited coverage grants and broad exclusions doesn't leave certain classes of risk uncovered. For example, during a discussion of cyber risk management, the risk manager of a Fortune 200 company explained that in a recent coverage review, his team discovered that due to the interplay between their cyber liability insurance, their property insurance, and their liability insurance, they had no coverage for property damage arising from acts of cyber terrorism. Needless to say, they immediately remedied the coverage gap, but had they not looked at their entire insurance portfolio, this risk would have gone uncovered.
Market assessment
The 2016 Betterly Report, the Cyber/Privacy Liability Survey, found that the insurance market for these risks is maturing, with at least 31 carriers writing cyber insurance. Betterly reported that gross premiums grew to $3.25 billion in 2016, from $2.75 billion in 2015, with “several very large underwriters” with gross premiums in excess of $100 million. Capacity varies from $1 million to $40 million per carrier, with most carriers writing both primary and excess coverage. Coverage availability varies by sector, so financial, healthcare, and larger retail companies may face restrictions and higher minimum deductibles or self-insured retentions. As the cyber insurance market matures, total capacity and coverage options will expand, increasing the availability of coverage, but complicating the selection process.
The Betterly Report explains that cyber policies provide the following coverages: data privacy liability, property and theft, and other liability.
Data privacy coverage includes four types of coverages:
- Liability (defense and settlement costs for the liability of the insured arising out of its failure to properly care for private data);
- Remediation (response costs following a data breach, including investigation, public relations, customer notification, and credit monitoring);
- Regulatory fines and penalties (the costs to investigate, defend, and settle fines and penalties that may be assessed by a regulator. Most insurers do not provide this coverage, although there can be coverage for defense costs), and
- PCI (credit card) fines and penalties (including forensic services and card re-issuance costs).
Property and theft coverage includes insurance for DDoS, cyber-theft (including deceptive funds transfer), and supply-chain disruption, though available coverages vary widely between insurers.
Liability coverage for bodily injury and property damage caused by a cyber risk has not traditionally been covered, but Betterly reports that some insurers are changing this approach, though availability is limited. This coverage can be important because traditional liability policies exclude cyber-related property and bodily injury losses.
When selecting an insurance carrier, it is important to compare your company’s risk profile to the available coverages to ensure you purchase the right coverage. It is also important to review related offerings, such as claim reporting and risk-management assistance provided by various carriers to determine if such services are potentially beneficial for your company. Finally, compare the exclusions in coverage forms if possible, because some carriers still include exclusions based on “erroneous” information in insurance applications, which can be broadly interpreted to deny coverage.
Editor's note: Hogan will be part of an IAPP Web conference, "Mastering the cyberinsurance application process," on May 18, which is free for IAPP members.